News
Remote vulnerability found in torrent client Transmission
Travis Ormandy discovered a vulnerability in Transmission using a DNS rebinding attack, which he explains nicely.
BlackWallet cryptocurrency site loses users’ money after DNS hijack
BlackWallet, an online wallet for the cryptocurrency Stellar, was hacked. The attacker got control of the DNS records and switched the real site with his identical one, where your coins were siphoned off once you gave your private key. About $425.000 was stolen.
Intel AMT security head's up related to physical access
The usual wisdom is that when someone has physical access to your device, you're done for anyway. But this deserves a heads up: if you have AMT enabled, make sure you change the Bios Extension password from its default 'admin', which apparently most don't. A malicious person can compromise your machine in under 30 seconds, bypassing BIOS password, Bitlocker encryption, etc, and open up your device for remote login.
Oracle addresses 237 vulnerabilities across multiple products
Most of them allowing for remote exploitation, so get them updates going.
Also, make sure your older patches are applied too. A bunch of attacks are underway where Oracle PeopleSoft and WebLogic servers are compromised to mine Monero.
Lenovo found and patched backdoor in RackSwitch and BladeCenter products
The backdoor was introduced 14 years ago at Nortel Networks, which was eventually bought by Lenovo. It's now discovered by Lenovo themselves. Fortunately the backdoor only opens under very strict and rare conditions.
Mozilla restricts all new Firefox features to HTTPS only
Any new Firefox features that are shipped in the future will only work in 'Secure contexts', meaning that they'll only work on HTTPS websites or on localhost.
GSuite releases Security Center for enterprise customers
If you run an enterprise GSuite account, this will make you happy. It's a dashboard showing things like amount of documents being shared, e-mail settings being insecure, amount of spam/phishing inbound, etc.
Bad guys getting caught
Always good to know that not everyone gets away with malicious stuff.
There were quite a few arrests/indictments this week, so I figured I'd group em up:
- The creator of the FruitFly Mac malware, which ran for 13 years: link
- A hacker that was part of the 'Fappening': link
- The creator of both Cryptex (a service to scramble binaries so they aren't detected by antivirus) and reFUD.me (a service to test if antivirus detected your virus): link
- The operator of LeakedSource, a service where you paid to get access to uncensored data dumps of user information: link
Stackhackr: mock malware
This might be fun to play around with. You can create your own mock malware which behaves like the real thing, just without actual damage, and see if your defences hold.
DNSFS. Store your files in others DNS resolver caches
Cool research that explores using the cache of open DNS resolvers to store files, dubbed DNSFS :-)
Sponsorships
Automated vulnerability scans of web applications in the SDLC
Integration of web application security in the SDLC has become really important. Businesses are pushing new code to production multiple times in a day, so it is vital that security flaws are identified at source. Listen to Paul’s Security Weekly podcast discussing this, scaling up web application security, time management for penetration testers and more.